SonarQube不显示Bandit';s Python安全漏洞报告 概述
我正在使用SonarQube 7.4.0.18908收集代码覆盖率,并为Python 3.6项目执行静态代码分析。服务器正在AWS中运行。一切正常(见下面的屏幕截图) 现在我想为项目添加安全扫描。我“选择了”,但实际上这似乎是目前唯一与SonarQube for Python集成的工具,如中所述。SonarPython插件支持Bandit analysis,该插件安装在SonarQube服务器上。为了在本地生成漏洞报告,我使用了Bandit 1.5.1 pip3模块 问题 漏洞报告没有显示到SonarQube,甚至可能没有上传到SonarQube(参见下面的相同屏幕截图) 复制步骤 我将这一行添加到项目的SonarQube不显示Bandit';s Python安全漏洞报告 概述,python,sonarqube,bandit-python,Python,Sonarqube,Bandit Python,我正在使用SonarQube 7.4.0.18908收集代码覆盖率,并为Python 3.6项目执行静态代码分析。服务器正在AWS中运行。一切正常(见下面的屏幕截图) 现在我想为项目添加安全扫描。我“选择了”,但实际上这似乎是目前唯一与SonarQube for Python集成的工具,如中所述。SonarPython插件支持Bandit analysis,该插件安装在SonarQube服务器上。为了在本地生成漏洞报告,我使用了Bandit 1.5.1 pip3模块 问题 漏洞报告没有显示到So
声纳项目中。属性文件:
sonar.python.bandit.reportPaths=bandit-report.json
sonar.host.url=https://sonarqube.mydomain
sonar.scm.disabled=true
sonar.projectKey=security-scan
sonar.projectName=Security Scan
sonar.projectVersion=1.0
sonar.language=py
sonar.sources=src
sonar.tests=tests
sonar.python.coverage.reportPath=coverage.xml
sonar.python.bandit.reportPaths=bandit-report.json
sonar.exclusions=**/*.pyc,**/*.ini
sonar.test.exclusions=**/*.pyc
然后我运行了报告:
pip3 install bandit==1.5.1
bandit --format json --output bandit-report.json --recursive src
我验证了bandit report.json
包含正确的数据:
{
"errors": [],
"generated_at": "2019-01-30T14:49:18Z",
"metrics": {
...
"results": [
{
"code": "8 def prepare_df_for_comparison(df, name, ignore_columns=None, sort_columns=None):\n9 assert df is not None\n10 \n11 # upper-case all columns\n12 df.columns = [x.upper() for x in df.columns]\n",
"filename": "./build/lib/tasks/compare_df.py",
"issue_confidence": "HIGH",
"issue_severity": "LOW",
"issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.",
...
然后,我向SonarQube发布了:
sonar-scanner
扫描仪的输出:
INFO: Scanner configuration file: NONE
INFO: Project root configuration file: /root_dir/sonar-project.properties
INFO: SonarQube Scanner 3.2.0.1227
INFO: Java 1.8.0_191 Oracle Corporation (64-bit)
INFO: Linux 4.9.125-linuxkit amd64
INFO: User cache: /root/.sonar/cache
INFO: SonarQube server 7.4.0
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Publish mode
INFO: Load global settings
INFO: Load global settings (done) | time=126ms
INFO: Server id: <snip>
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=102ms
INFO: Load/download plugins (done) | time=130ms
INFO: Loaded core extensions:
INFO: Process project properties
INFO: Load project repositories
INFO: Load project repositories (done) | time=84ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=33ms
INFO: Load active rules
INFO: Load active rules (done) | time=554ms
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=27ms
INFO: Project key: security-scan
INFO: Project base dir: /root_dir/src
INFO: ------------- Scan Security Scan
INFO: Base dir: /root_dir/src
INFO: Working dir: /root_dir/src/.scannerwork
INFO: Source paths: config, dag_factories, operators, tasks
INFO: Test paths: tests
INFO: Source encoding: UTF-8, default locale: en_US
INFO: Load server rules
INFO: Load server rules (done) | time=187ms
INFO: Language is forced to py
INFO: Index files
INFO: Excluded sources:
INFO: **/*.pyc
INFO: **/*.ini
INFO: Excluded tests:
INFO: **/*.pyc
INFO: 95 files indexed
INFO: 82 files ignored because of inclusion/exclusion patterns
INFO: Quality profile for py: Sonar way
INFO: Sensor Python Squid Sensor [python]
WARN: Metric 'comment_lines_data' is deprecated. Provided value is ignored.
INFO: Sensor Python Squid Sensor [python] (done) | time=2831ms
INFO: Sensor PythonXUnitSensor [python]
INFO: Sensor PythonXUnitSensor [python] (done) | time=318ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=6ms
INFO: Sensor SonarJavaXmlFileSensor [java]
INFO: Sensor SonarJavaXmlFileSensor [java] (done) | time=1ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=54ms
INFO: SCM Publisher is disabled
INFO: 3 files had no CPD blocks
INFO: Calculating CPD for 61 files
INFO: CPD calculation finished
INFO: Analysis report generated in 2349ms, dir size=617 KB
INFO: Analysis reports compressed in 15384ms, zip size=233 KB
INFO: Analysis report uploaded in 108ms
INFO: ANALYSIS SUCCESSFUL, you can browse https://sonarqube.mydomain/dashboard?id=security-scan
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarqube.mydomain/api/ce/task?id=<snip>
INFO: Task total time: 26.187 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 27.558s
INFO: Final Memory: 16M/295M
INFO: ------------------------------------------------------------------------
但在SonarQube用户界面中,我看不到该报告。我错过了什么
相关问题
这是我能找到的唯一相关问题。我的问题不同。正如我提到的,Bandit报告是在本地正确生成的。但问题似乎是上传到SonarQube
我们最近在Python中添加了对Bandit的支持
您是否在SonarQube 7.4实例中使用SonarPython 1.11?
你可以在$SQ_HOME/扩展/插件中查看。如果不是这样,只需将sonar-python-plugin-xxx.jar替换为1.11即可解决问题
谢谢您必须在项目根目录中添加一个.bandit文件,并在其中定义规则
然后你还需要在你的环境中安装pip安装bandit。
希望对你有用。这种方法对我很有效,它会生成一个由规则定义的报告。您有哪个版本的Python?(因为从SonarPython 1.11开始就支持Bandit)注意:SonarPython 1.11默认嵌入在SonarQube 7.6Nice中,在我将sonar-python-plugin-1.10.0.2131.jar
放入/usr/local/sonar/extensions/plugins/
并重新启动SonarQube服务后,我在发布页面抓取了sonar python插件版本1.11.0.2473
,我在UI中看到了报告。扫描仪也在日志中显示上传,这很有帮助+1:INFO:Sensor Import of Bandit issues[python](完成)| time=738ms
是否可以从sonar多维数据集中筛选Bandit报告?上次我检查时,它只显示报告,但无法进行任何分类。我可能错了@Alexandre-声纳消息来源,你能确认一下吗?谢谢Tony。根据我的评论,我的问题通过升级到Python 1.11.0.2473得到了解决。